3

I'm currently working on a .NET Core 2.1 application in C#. I want to protect my application source code from copy piracy. In general, I know that C# can fairly easy be reverse engineered. I need to ship my final software product to the customer, but I don't want anybody to read my source code. The software will be installed on a Windows Server, I cannot provide remote access as it is hosted in a closed environment (no internet there).

How can I protect my software from reverse engineering?
What do you do or which tools and frameworks do you use to secure your .NET Core 2.1 source code from piracy in 2018?
Is it still worth it to obfuscate your code?
Should I rather just write a secure library for my business logic in C++?

Thanks for sharing some ideas!

timhorton42
  • 241
  • 5
  • 15
  • 1
    In short, you can't protect it from everyone no matter what you use or how you write it. The best bet is to use a code obfuscator like Dotfuscator. – kemiller2002 Dec 14 '18 at 13:33
  • 1
    They cannot read "your" source code, but it is impossible to stop software from being reverse engineered. If you did anything to stop that then it would also stop it from running. – Reinstate Monica Cellio Dec 14 '18 at 13:33
  • 1
    Can you share more details about your project? Is all of it deployable to the customer? Can you host a part of it on your premises? You can have a thin client deployed to the customer, and the really interesting part running on your servers. This way, your super secret custom business logic is totally in your control. This will also give you more headaches. – DaeMoohn Dec 14 '18 at 13:37
  • It will be a full installation on a Windows Server at the client side. As it is a closed environment, we cannot provide remote access to some logic parts unfortunately. – timhorton42 Dec 14 '18 at 13:39
  • @timhorton42 So you want to protect your code from other people or from the client itself ? – Franck Dec 14 '18 at 13:41
  • @Franck, client and other coworkers who will use the DLL. ;) – timhorton42 Dec 14 '18 at 13:43
  • Depending on what it is your program does perhaps you can keep the sensitive stuff on a server that the client application has to access. – Magnus Dec 14 '18 at 13:44
  • 2
    You want to stop co-workers seeing your source code? Please tell me where you work so I can make sure *never* to apply for a job there! Do you not have a central repository or any type of source control??? If one of my co-workers stopped me seeing their code it would be my responsibility to examine it in great detail and discover why. Sounds like someone who needs to be let go. – Reinstate Monica Cellio Dec 14 '18 at 13:46
  • @Magnus it's a dll on the server so being .netcore chances are that the user do remote desktop to the server so they must be local :( – Franck Dec 14 '18 at 13:47
  • @Archer sorry, it's not about coworkers of course, but rather subcontractors who just use the DLL business logic when extending the app. – timhorton42 Dec 14 '18 at 13:53
  • 1
    That sounds more like an issue with how your contracts are written with your subcontractors. There should a clause in their contract that says "you can't steal code from us". – Gabriel Luci Dec 14 '18 at 13:54
  • 2
    Still, if you have contractors then they should be trusted enough to work with your code, It's highly unlikely that any of them would even want to reverse engineer something that you code, anyway. If there is reason to protect your code from sub-contractors then you don't need code obfuscation - you need NDAs. – Reinstate Monica Cellio Dec 14 '18 at 13:55
  • 2
    The only guaranteed way to stop people reverse-engineering code is to **not give it them** - think: "service endpoint" (web-service, etc); just look at how quickly games are cracked and hacked, when they are in C/C++ - this isn't a battle anyone can win (although you can make it harder for casual folks to look into the implementation) – Marc Gravell Dec 14 '18 at 14:06
  • Looks like native forever and no needs in obfuscators; Looks like net core RT workable solutions; soon all apps will go to .net core; https://www.codeproject.com/Articles/5262251/Generate-Native-Executable-from-NET-Core-3-1-Proje?msg=5753507#xx5753507xx https://learn.microsoft.com/en-us/archive/msdn-magazine/2018/november/net-core-publishing-options-with-net-core not tested maybe with old win .net sdk possible do similar. – user1005462 Oct 04 '20 at 14:39

3 Answers3

3

Is it still worth it to obfuscate your code?

This is a matter of opinion, but in my opinion, no, it's not worth it.

Have you ever tried decompiling .NET code? Sure, it can be done with tools like JustDecompile, but it doesn't decompile into your original source code. It's actually quite difficult to read. Give it a try.

Even C++ can be "decompiled", although yes, it's even harder to read.

But the bottom line is this: if someone really wants to reverse engineer your code, they can do it and there's nothing you can do to stop them.

Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
1

In two words, You can't

In more words

There are things that will constrain your application to certain conditions as can be using hardware keys or network boundaries

Take a look

Protect .NET code from reverse engineering?

MrVoid
  • 709
  • 5
  • 19
1

In a word, no. But you can use a code obfuscator, and if you are really intent, going into unmanaged code and trapping the debug interrupt.

I am assuming you need to protect trade secrets. The use of non-compete agreements protect you to a large extent, along with contracts.

You will almost certainly be protected from all but the most determined with the above safeguards.

Mark McWhirter
  • 1,168
  • 3
  • 11
  • 28